TL;DR
These prompts help you implement proper encryption for sensitive data in your application. They cover encrypting data at rest in databases, securing data in transit, managing encryption keys properly, and choosing the right encryption algorithms for your use case.
Application-Level Encryption
Use this prompt to add encryption for sensitive fields in your database:
Add encryption for sensitive database fields in my application.
Fields to encrypt: list your sensitive fields, e.g., SSN, credit card, personal notes
Requirements:
- Use AES-256-GCM for encryption (authenticated encryption)
- Store encryption keys in environment variables, not in code
- Create encrypt/decrypt utility functions
- Handle the key properly (never log it, use secure memory)
- Include IV (initialization vector) with each encrypted value
Implementation should:
- Encrypt before saving to database
- Decrypt when reading from database
- Work with my ORM (Prisma/Drizzle/Mongoose)
- Handle migration of existing unencrypted data
- Allow key rotation in the future
Also explain how to store the encrypted data (base64, hex, binary).
Node.js Encryption
Create a secure encryption utility for Node.js using the built-in crypto module.
Create functions for:
- encrypt(plaintext, key) - returns encrypted string with IV
- decrypt(ciphertext, key) - returns original plaintext
- generateKey() - creates a secure encryption key
- deriveKey(password, salt) - derives key from password
Requirements:
- Use AES-256-GCM (authenticated encryption)
- Include authentication tag to prevent tampering
- Generate random IV for each encryption
- Return format: base64(iv + authTag + ciphertext)
- TypeScript types for all functions
Also create:
- Key rotation helper (re-encrypt with new key)
- Secure comparison function for encrypted values
- Error handling for decryption failures (don't leak info)
Encrypt API Payloads
Add encryption layer for sensitive API payloads beyond HTTPS.
Use case: Extra protection for highly sensitive data (health records, financial data)
Implement:
- Client-side encryption before sending to API
- Server-side decryption on receipt
- Key exchange mechanism (or use pre-shared keys)
- Request signing to prevent tampering
Create:
- Client utility (JavaScript/TypeScript)
- Server middleware to decrypt incoming requests
- Response encryption for sensitive return data
- Key management approach
This is for defense in depth, not replacing HTTPS.
Never roll your own crypto: Use well-tested libraries and standard algorithms (AES-256-GCM, ChaCha20-Poly1305). Don't invent encryption schemes, don't use ECB mode, and don't use MD5/SHA1 for security purposes.
Key Management
Set up proper encryption key management for my application.
I need:
- Secure key storage (not in code or config files)
- Key rotation strategy without downtime
- Different keys for different data types
- Audit logging of key usage
Options to consider:
- Environment variables (basic)
- AWS KMS / Google Cloud KMS / Azure Key Vault
- HashiCorp Vault
- Encrypted key file with master password
For my scale: describe - startup/small/enterprise
Create:
- Key storage implementation
- Key rotation procedure
- Backup and recovery plan
- Access control for keys
Pro tip: Consider using envelope encryption for large datasets. Encrypt the data with a data key, then encrypt the data key with a master key. This makes key rotation much faster since you only re-encrypt the small data key.
Should I encrypt all data in my database?
No. Encrypt sensitive personal data (SSN, health info, financial details). Encrypting everything adds complexity and can hurt performance and searchability. Most databases offer transparent data encryption (TDE) for general protection.
What's the difference between encryption and hashing?
Encryption is reversible (you can decrypt). Hashing is one-way (you can't get the original back). Use encryption for data you need to read later. Use hashing for passwords and data you only need to verify.
Is HTTPS enough for data in transit?
For most applications, yes. Add application-level encryption only for highly sensitive data where you need defense in depth, or when data passes through systems you don't fully trust.